OCR Settlements

OCR Settlements on the Rise as HHS Resumes Enforcement


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

With two OCR settlements announced within the span of a week, it seems the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has resumed its enforcement efforts.

On July 23, OCR announced a $25,000 settlement with Metropolitan Community Health Services, while on July 27, OCR announced a $1,040,000 settlement with Lifespan Affiliated Covered Entity. Both entities are also subject to corrective action plans, and two years of monitoring by the OCR. The details of the OCR settlements are discussed below.

OCR Settlements: Metropolitan Community Health Services

On June 9, 2011, Metropolitan Community Health Services (Metro) filed a breach report with the OCR regarding an unauthorized disclosure of protected health information (PHI). The breach occurred due to disclosure of PHI to an unknown email account, compromising the PHI of 1,263 patients. Although the breach itself wouldn’t normally lead to a HIPAA fine, upon investigation, OCR found that Metro had a long history of noncompliance with the HIPAA Security Rule.

The noncompliance included:

  • Failure to conduct any risk analyses
  • Failure to implement policies and procedures
  • Failure to provide workforce members with security awareness training

OCR Director Roger Severino stated, “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”

For more information on the OCR settlement, please click here.

OCR Settlements: Lifespan Affiliated Covered Entity

On April 21, 2017, Lifespan Affiliated Covered Entity’s (Lifespan ACE) parent company, Lifespan Corporation, filed a breach report with OCR. The breach was the result of an employee leaving an unattended laptop in their car. The laptop was stolen, and since it was unencrypted, the PHI of 20,431 patients was compromised.

Upon investigation, OCR discovered that Lifespan ACE was not compliant with HIPAA standards. This noncompliance to HIPAA standards included:

  • Failure to encrypt ePHI on laptops when it was reasonable and appropriate to do so
  • Failure to implement media and device controls
  • Failure to have a business associate agreement with Lifespan Corporation

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

For more information on the OCR settlement, please click here.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

What are your thoughts about this article? Please comment below.

Notify of
Inline Feedbacks
View all comments